Backup plays a key role in ransomware response, but is not a complete solution
Ransomware attacks have increased in volume, sophistication, and constant ransom demand over the past few years. According to published records, the education and retail industries are the most targeted.
Energy, oil and gas industries and local government are the most likely to pay a ransom demand; while manufacturing and production are best able – with local government and healthcare least able – to restore systems from a backup.
These details were published in the State of Ransomware Attacks 2022 report by risk management firm CyberSaint (PDF). CyberSaint co-founder and CPO Padraic O’Reilly adds the condition that there is an inherent and unavoidable bias in this method of data collection: the numbers do not and cannot account for victims who pay the ransom quietly without reporting the compromise.
There has been a recent wave of optimism following the arrest by Russian authorities of REvil members in January 2022. The hope was for a drop in ransomware activity coupled with an increase in international cooperation on of law enforcement. Although certain factors contribute to the success of the fight against data extortion attacks, the threat is always present. O’Reilly said safety week that he hopes for an improvement, but does not necessarily expect one.
On February 9, 2022, CISA, FBI, NSA, Australia’s ACSC and UK’s NCSC issued a joint cybersecurity alert regarding trends showing an increased global ransomware threat. He warned that “if the criminal ransomware business model continues to generate financial returns for ransomware actors, ransomware-related incidents will become more frequent.”
[ Read: FBI Warns of BlackByte Ransomware Attacks on Critical Infrastructure ]
The ransomware model continues to evolve and shows no signs of becoming less profitable for criminals. Noting the growing ransomware-as-a-service (RaaS) model, CyberSaint’s report comments, “This malware business model allows developers to make money by selling kits and taking a cut of the demanded ransom…The earning potential is limitless as the demand for malware kits increases. .”
“We’ll always have the bad actors,” O’Reilly added. Referencing the REvil incident, he continued, “I don’t think tacit approval from one nation state or another is the biggest issue here.” There are several other countries where tech-savvy criminals could likely operate with impunity. Iran is known to increase its ransomware activity, while North Korean umbrella group Lazarus has long been associated.
“The biggest problem,” O’Reilly said, “is that there are major gaps in the protection mechanism of some very large critical infrastructure companies. As long as there are those flaws, there will be bad actors to take advantage of them. He doesn’t see much activity against critical infrastructure coming from nation states because governments tend to shy away from anything that could be considered direct cyber warfare – but criminal gangs have no such qualms .
And as long as the RaaS model is up and running, there can still be crashes. The Colonial Pipeline incident is perhaps an example of this – it wasn’t DarkSide itself, but it was supposedly a subsidiary of DarkSide RaaS that launched the attack.
O’Reilly doesn’t think we should worry about the geopolitics of ransomware attacks, or wait for a potential improvement in international law enforcement cooperation, but instead should focus on laying the groundwork for ransomware prevention. “At least,” he said safety week“we need to close the RDP gate with MFA and add an effective backup.”
Backup is part of the solution, but not a complete solution. “Our statistics show,” he continued, “a correlation between the existence of a backup and the reluctance of victims to pay the ransom.” The manufacturing and production sector is the least likely to pay a ransom, but the most likely to have good backup. Conversely, healthcare and local government rank high among the sectors likely to pay a ransom, but are the least likely to have a good backup.
However, backing up will not protect you against extortion of exfiltrated PII.
Related: SecurityWeek Cyber Insights 2022: Ransomware
Related: French Ministry of Justice targeted by ransomware attack
Related: Ransomware operators leak data stolen from wind turbine giant Vestas
Related: ‘Sabbath’ ransomware operators target critical infrastructure